Identity hub allows universities to share resources securely.

InCommon Federation, an identity hub that helps universities securely share resources, brought more schools and service providers to its fold this week and further strengthened its message that sharing identity is essential to securing distributed networks.

The federation, which serves as the trusted facilitator and policy setter for identity exchanges among universities and service providers, added 10 universities, four service providers and an independent identity provider to its hub. It now has 35 members in its federation which is a model for Internet2 technologies.

It is also a model to justify the benefits of identity federation, where two or more organizations establish trust between their identity systems so users authenticated by one company can access resources on the network of another company.

Federation is often seen as a futuristic technology in the broad area of identity management, but InCommon is proving today that federation can secure information access among partners while ensuring the privacy of individual users.

“Federation is something that has been envisioned by those with a long scope to the future as to how networking is going to operate in an information and knowledge based world,” says Tracy Mitrano, director of IT policy at Cornell University and the chair of the InCommon Steering Committee. “As we move to that world, we are seeing the value of real federations among universities, information providers and service providers.”

And, she says, it is happening on a global scale.

“There is no question that higher education is already participating in a flat world, so to speak, and federation makes that possible.”

The InCommon Federation uses the Shibboleth identity federation architecture as the basis for controlling access to the resources maintained by members. Shibboleth is based on the Security Assertion Markup Language (SAML) and is a foundation technology for Internet2’s Abilene Network. The architecture also lets universities and individuals set privacy policies to control what type of user information can be released to each destination.

The Internet2 consortium, which is made up of 208 universities, has developed the Abilene Network for education and high-speed data transfers.

Those transfers are being secured through InCommon’s framework, which requires participants to share with each other authoritative and accurate identity information and information about their identity management system.

InCommon is not a hub that routes network traffic but instead shapes policy for joining identity management systems. InCommon members communicate directly with one another over the Internet and Abilene Network.

Based on disclosures made through InCommon, members of the federation decide if they “trust” one another’s identity management systems and if they want to federate those systems so they can exchange SAML assertions to validate user authentication and provide authorization to access network resources. InCommon does not dictate a minimum set of requirements each participant’s identity system must include.

Federation is one element of the explosion in technology around identity management, which is widely regarded as key to securing digital resources on distributed networks.

Major companies such as IBM, Microsoft, Novell, Oracle and Sun are building the technology into their identity management suites. And independent vendors such as Ping Identity also offer federation technology, which is in is use by such companies as American Express and New York Life.

The InCommon network is made up of 24 universities and 11 sponsored partners such as new member Cdigix, which has a portfolio of legally available digital entertainment and educational content for higher education.

The company recently partnered with the University of Washington to offer students and facility access to that portfolio. The secure access is based on the InCommon framework so Cdigix can ensure controlled access without revealing users’ personal information.

The University of Maryland Baltimore County and Penn State University use InCommon as the basis for a partnership with Symplicity, which helps students manage, identifyand apply for internships and post-academic careers. Penn State also uses plagiarism protection services from Turnitin through the InCommon network so professors can better monitor for plagiarism.

InCommon has two criteria for trustworthiness that members must follow. The first is that their identity management system must fall under the purview of the organization’s executive management, and second, the system for issuing end-user credentials must have appropriate risk management measures in place.

The group also is looking to establish new criteria to govern federations where sensitive or regulated data is exchanged.

“We are seeing a very interesting point in the progression of federation,” says John Krienke, manager of integrated operations at Internet2 and operations manager for InCommon. “When we look at particular protected resources that have constraints and highly regulated sensitive data or services, we are looking at can we have another level where we establish criteria that participants would be required to meet in order to be involved in this new level of federation.”

The bottomline for InCommon is that the group is not only proving federation works, it is setting up a model for addressing the legal and other questions that abound when organizations federate identities, such as who is liable if identity information falls into the wrong hands.

“InCommon has been a pioneer in talking about what trust means from a legal, policy and business perspective,” says Mitrano, the InCommon Steering Committee chair. “We look at situations in an open, collaborative and collective manner. We take the contract process out of the lawyers office and make it open and available to the larger world.”